I have a few questions / comments: - IPv6 has DHCP also. Can that be used instead of RA? (I am not looking to start a war, I just want to understand why you picked RA). This might be an issue because typically RA's would be sent from routers that are not necessarily the captive portal. A dhcp option could be more selectively/dynamically given to clients and could support both captive portal and non-captive portal users on the same L3 segment. Another example use case of this would be for things pre-registered with the portal, no need to worry them futher.
- Should it be pointed out that this would only happen after 802.11u, 802.11X, or similar L2 things have already failed to auth? - You note that you want embedded address literals because the user may have broken DNS settings for that network. If the dhcp server gave you dns settings which you knowingly ignored, then it is a mis-configuration. The same thing would happen if you statically configured a default router while ignoring what was recieved in RA or DHCP. In other words on captive portal networks, I think a more robust interpretation would be that the DNS server supplied from the network is not a hint, it is mandatory at least until registration. - What happens in the following dual-stack scenario: dhcpv4 captive-portal option not set dhcpv6 or RA captive-portal option set Does that mean the client only has to do portal registration for v4? I think you can guess at all the permutations when dual-stacked. It gets worse for RA because some RA's could have it set but not others. Do we say that this is a misconfiguration? Or do we say if the option is set via *any* means, then assume it is set for them all? - What about the bad guy who sets up a rougue dhcp server with the option set in order to extract usernames/passwords/money? There was a similar topic that came up (in sunset4, I think) about a hypothetical dhcp option to hint to clients not to use their v4 stack. The most robust thing for a client to do would be to ignore that option due to the possibility of bad guys. That may also mean the most robust thing for a client to do is treat the captive-portal option only as a hint and not necessarily hold everything up because of it. Dale Thus spake Warren Kumari ([email protected]) on Wed, Oct 01, 2014 at 05:21:07PM -0400: > <no hats> > Hi there all, > > I have a draft that I'd like some review / feedback on. > It will likely be AD sponsored (it doesn't really fit in any working groups). > > It is designed to help make the captive portal experience better^W less bad. > We've all experienced this -- you arrive at a hotel or coffee-shop. > You open your laptop and connect to the Hilton_Guest network (or > whatever) and then nothing happens... > You click refresh on your (in this day and age) https:// pages, and > either they just hang, or you get some unintelligible SSL error about > the certificate not matching the site you were trying to get to... or > you have a VPN / proxy, in which case *nothing* happens. > You kill the VPN, still nothing. > You curse a few times, then notice that DNS isn't working. After some > futzing (and more swearing) you disable your local validating > resolver, and update resolv.conf to use the hotel network. > > Eventually you get a web page that tells you you can get to the > Internet for the low low price of $9.95 for 24hours. 3 hours later the > process repeats. After throwing your laptop on the floor and jumping > up and down you redo the captive portal dance and continue using the > 'net. > > Now, obviously the bestest possible outcome would be if there were no > captive portals, but, well, that ain't going to happen.... so, this > document lets DHCP / RA *tell* your machine where the CP is, so your > OS can make a connection as soon as you try access the Internet. Yup, > there are many more details, go read the draft... > > > http://tools.ietf.org/html/draft-wkumari-dhc-capport-05 > > W > > > > > This technique is complementary with the Wi-Fi Alliance: Hotspot 2.0 / > PassPoint "ASRA" - Additional Steps Required for Access idea... > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > OPSAWG mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
